To reproduce, it may be that the host being reverse looked-up must have a PTR
record and a CNAME. That would explain why the problem only became apparent to
us today (after that specific host was given a CNAME). This may point to the
squid bug being:
http://www.squid-cache.org/bugs/show_bug.cgi?id=1136
although that refers to multiple PTR records, rather than PTR & CNAME, but I'd
imagine that you'd want dstdomain (and other acl DNS lookups) to match CNAMEs as
well, so it wouldn't surprise me if this would trigger it as well.